Retail Phishing Simulator Hacks First, Educates Later

It’s becoming harder and harder to find retailers that haven’t been the target of a large-scale cyber attack, and a common refrain in those stories is that the hackers used sophisticated and complex ways to get around digital security checkpoints. However, hackers often don’t have to go through all that trouble when a simple phishing attack can steal all the passwords and sensitive information they need.

According to a study from the Anti-Phishing Working Group, there were more than 250,000 individual phishing attempts during 2014 that cost a combined $4.5 billion in losses. Retail was no stranger to these attacks that often trick employees into entering passwords and login information into false sites made to look official. In fact, in Q4 2014 alone, the retail industry attracted 29.37 percent of all phishing attempts, and payment services were the target of 25.13 percent, according to APWG.

Many retailers have struggled to contain the threat from phishing attempts, but few have succeeded in adequately educating and training employees against all the common ways a suspicious email or commandeered Wi-Fi login page can steal information that lets hackers gain access to internal databases. However, cybersecurity startup LUCY and CEO Oliver Muenchow think that they’ve come up with a way to more effectively show retail employees how easily they can give their information away online.

In an interview with the National Retail Federation, Muenchow explained how retailers can use LUCY to simulate a real phishing attempt on their organizations. By using LUCY as a “cybersecurity crash test dummy,” retailers can see which employees willingly give information away to illicit sites or login pages, Muenchow explained. Retailers can also customize these false flag campaigns to target different types of information.

However, LUCY doesn’t stop at just capturing information, Muenchow explained. The simulator can also be programmed to direct poorly performing employees to educational sites, where they can learn better techniques for protecting themselves in future phishing attempts.

“As hackers become more creative, businesses need to analyze where they are most vulnerable,” Muenchow said in a press release. “Could your employees be fooled into entering sensitive data on a professionally appearing website; would they download/execute programs from unknown sources; can malware enter and affect your network without being detected? LUCY helps answer all those questions.”

Preparing for phishing attempts might once have been a luxury in digital security, but statistics prove that it has become an absolute necessity ahead of the holiday shopping rush. According to cybersecurity consulting firm ZeroFox, 64 percent of retailers experience phishing attempts on Cyber Monday. By Thanksgiving, the overall number of phishing sites increases by 336 percent, capping at a daily total of 30 million predatory phishing links on social media platforms. Not all attacks are conducted on specially created sites, either, as the study found multiple instances of Twitter users posting popular hashtags with suspicious links to reach a larger audience.

While data thefts related to phishing attempts are as much a digital problem as a human one, Muenchow noted that closing the most easily exploited backdoors to their systems is the best bet for retailers under cyber-siege. Much like putting a lock on your home’s front door, educating employees on common phishing tactics can turn most dangers aside.

“Hackers are kind of lazy,” Muenchow told the NRF. “They want the easiest way in. Identifying these [human vulnerabilities] can significantly reduce the risks of hacking.”

While even the world’s most stringent anti-phishing training program wouldn’t be able to account for the all-powerful force of human error, LUCY might present a way to help even the least tech-savvy retailers out there realize where they’re going wrong with cybersecurity.